All Android apps contain an encrypted signature that the operating system uses to check the program is legitimate and has not been tampered with.

But BlueBox said it had found a way to make changes to an app’s code without affecting the signature.

It warned the technique could be used to install a Trojan to read any data on a device, harvest passwords, record phone calls, take photos and carry out other functions.

According to Symantec, hackers have now exploited the flaw to install malware called Android.Skullkey, which steals data from compromised phones, monitors texts received and written on the handset, and also sends its own SMS messages to premium numbers.

It said the Trojan had been added to two legitimate apps used in China to find and make appointments with a doctor.